Particularly noteworthy in the Lurid campaign is the ease with which the perpetrators managed to compromise their victims in the first place: They simply used known Adobe Reader exploits and malicious screensavers to infect user machines with malicious downloaders, which in turn connected to the hackers' command-and-control servers to await further instructions. As far as payload went, Trend Micro found that the downloader could install malware as a Windows service. It could also copy itself into the system folder and "ensure persistence by changing the common startup folder in Windows."